Understanding Kaminsky exploit w/bind
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Apr 16 07:54:48 UTC 2013
On 15.04.13 09:44, Jamie Ostrowski wrote:
>But that is the point of my question. Since it is relying on it's cached
>entry for the auth. nameserver for mydomain.com, the attacker, once the
>auth. nameserver for mydomain.com was cached, would have to wait until that
>cached NS entry for mydomain.com expires from the resolver's cache before
>they can make another attempt to send a forged NS record for mydomain.com,
>correct?
no... the attacker simply send bunch of replies with spoofed source address
of authoritative nameserver. The victim sees packets coming from
authoritative nameserver and does not know if they were sent really by the
server (source address is spoofed). It's quite easy to spoof 65535 reponses
with different query ID in a few seconds nowadays.
That is why random source ports are used now (it's not easy to spoof ~4
billions of replies) and that is why securedns is the only way to avoid this
attack.
Once the spoofed answer with guessed ID and containing NS records of
attacker's servers is accepted, the attacker owns the domain at least within
your nameserver.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
More information about the bind-users
mailing list